Emergency Operation in the Power Supply Domain According to ISO 26262

Abstract

The automotive industry is currently driven by the megatrends electrification, automated driving, and connectivity. To cope with these trends, new functionalities and electric and/or electronic systems must be developed, which require a safe power supply by the power supply system. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to address a safety goal specifying a safety-related availability requirement. In this case, emergency operation (EO) may be necessary to reach a defined safe state. The definitions and examples provided in ISO 26262 focus on cold redundancy, whereby the backup system is not engaged during nominal operation. The objective of this paper is to evaluate EO in the context of ISO 26262 in detail and map the results to an exemplary power supply system architecture implementing cold redundancy. In general, the EO is considered to be free from unreasonable risk even though the actual automotive safety integrity level (ASIL) capability of the item is lower than the initially specified ASIL rating for the hazard due to its timing restrictions. To determine the maximum permissible duration of EO, not just random hardware faults shall be considered; additionally, systematic effects shall be considered. Furthermore, an EO may be entered due to transient faults potentially causing temporary EOs – introducing the necessity of an EO recording, e.g. by accumulating the time of all temporary EOs.